During this period the Honeynet Project tested its first Global Distributed Honeynet (GDH) deployment. The
purpose of the GDH project was to make it as simple as possible for multiple people and organizations to
rapidly deploy a standardised virtual honeynet with centralized data collection and administration.
Developed and led by David Watson of the UK Honeynet Project Chapter, a bootable DVD based approach was
developed, which allowed participants to easily deploy a secured base OS (installed to a donor computer's
local hard drive), a virtual honeywall, and multiple virtual honeypots (high interaction honeypots, nepenthes
honeypots, client honeypots, etc) with the minimum of local configuration. Participants simply entered their
networking information into a configuration web page, downloaded a preconfigured ISO image, burned that
image to DVD and then booted the hands-off GDH installer. Once installation was complete, honeywall data was
automatically uploaded overnight to a central repository and all distributed nodes were managed remotely,
with various web based reporting interfaces being developed, along with a daily operational handlers diary
and regular analysis commentary. Eleven GDH nodes on multiple continents were successfully operated over a
period of six months, and an status report was released internally that summarised the observed activity.
Hopefully at least some of this data will be released to the public in the coming year, possibly as
a KYE:GDH white paper. In addition to GDH, some of the individual chapters are doing extensive deployments
of their own. Chapters include
A combined analysis of all the findings from the different chapters, our GDH deployment, and other sensors
is beyond the scope of this annual report. We will release detailed findings through our Know Your Enemy
whitepapers, presentations at conferences, and other media. To see what each individual chapter is learning,
reference the chapter status reports at the end of this report.
3.0 Lessons Learned
We identified several trends across many of the chapters. These trends include.
- GDH has demonstrated that large scale distributed data collection and analysis are complex,
time consuming efforts. Now that Phase 1 is complete we are reviewing the lessons
learned and identifying the best way to move forward (such as the use of honeypot farms, a more
focused effort on client and low-interaction solutions, more automated data analysis, more powerful
data analysis tools, etc).
- That automated collection and basic analysis of
Windows malware can now routinely be performed without the need for high interaction windows
honeypots (which is good news for operations/DA), but that increasingly malware authors are
attempting to detect, bypass or hide from automated collection and sandbox technologies.
- Many chapters are collecting extensive amounts of malware with Nepenthes.
We need improved centralization and analysis of malware making it easier to leverage that
information for the chapters and members.
Many of the chapters are working on a variety of new technologies. Below is a highlight
of some of those. For more information, refer to the respective chapter status reports.
- Capture-HPC is a high-interaction
client honeypot framework. Capture-HPC identifies malicious servers by interacting
with potentially malicious servers using a dedicated virtual machine and observing
its system for unauthorized state changes. Developed by Christian Seifert and
Ramon Steenson of the New Zealand Chapter.
- HoneyC is a low interaction client honeypot
framework that allows to find malicious servers on a network. Instead of using a
fully functional operating system and client to perform this task, HoneyC uses
emulated clients that are able to solicit as much of a response from a server
that is necessary for analysis of malicious content. Developed by Christian
Seifert of the New Zealand Chapter.
- Pehunter is a snort dynamic
preprocessor that grabs Windows executables off the network. It is intended to sit
inline in front of high-interactive honeypots. Developed and maintained by
Tillmann Werner of the German Chapter.
- Google Hack Honeypot is the reaction
to a new type of malicious web traffic: search engine hackers. It is designed to
provide reconnaissance against attackers that use search engines as a hacking tool.
Developed by Ryan McGeehan & Brian Engert of the Chicago Chapter.
- Honeymole: This is
used for honeypot farms. You deploy multiple sensors that redirect traffic to a
centralized collection of honeypots. Developed and maintained by the Portuguese Chapter.
- Capture BAT: This is a behavioral
analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor
the state of a system during the execution of applications and processing of documents, which provides
an analyst with insights on how the software operates even if no source code is available. Capture BAT
monitors state changes on a low kernel level and can easily be used across various Win32 operating system
versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the New Zealand
- Honeysnap. Primary tool used for
extracting and analyzing data from pcap files, including IRC communications.
Developed and maintained by Arthur Clune of the UK Chapter.
- HoneyBow. HoneyBow is a high-interaction malware collection
toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture.
Developed and maintained by Chinese Honeynet Project.
- High Interaction Honeypot Analysis Toolkit (HIHAT):
This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart
from the possibility to create high-interaction honeypots, HIHAT furthermore
comprises a graphical user interface which supports the process of
monitoring the honeypot, analysing the acquired data. Last, it generates
an IP-based geographical mapping of the attack sources and generates
extensive statistics. HIHAT is developed and maintained by Michael Mueter
of the German Chapter.
In addition, we have now opened our development efforts to the public, including pubic SVN
access and public maillists. We hope to soon have publicly accessible Wiki sites
for all development efforts.
Public SVN access (RO)
5.0 Papers & Presentations
All Honeynet Project Know Your Enemy (KYE) papers go through an
extensive, internal review process. All paper topics have to be first
approved by the KYE committee. Then initial drafts are reviewed by the
KYE committee. Last, at minimum all final drafts are peer reviewed by
the entire membership. Only about 50% of submissions make it through
the process. In addition, we have started a new concept for papers
called "KYE Lite". These are shorter papers that are written about a specifc topic. While not having the depth of
traditional KYE papers, since these papers are more focused they can
have a shorter development process and bring information to the public
KYE: Fast-Flux Service Networks:
This whitepaper details a growing technique within the criminal community called
fast-flux networks. This is an architecture that builds more robust networks for malicious
activity while making them more difficult to track and shutdown. This is the first KYE
paper we are releasing in both .pdf and .html format. In addition, this research was presented at
Hack-in-the-Box Malaysia. You can find this presentation online at our
KYE: Malicious WebServers: In this paper, we take an in-depth
look at malicious web servers that attack web browsers and we evaluate several defensive
strategies that can be employed to counter this threat of client-side attacks. All the malicious
web servers identified in this study were found with our client honeypot
KYE: Web Application
Threats: This paper provides behind the scenes information on various HTTP-based attacks against
web applications, including remote file inclusion and exploitation of the PHPShell application.
The paper is based on the research and data collected from the Chicago Honeynet Project, the
New Zealand Honeynet Project and the German Honeynet Project during multiple honeypot compromises.
Along with the release of this paper, comes new functionality to the Google Hack Honeypot (GHH),
used extensively in the paper. GHH now includes an automated malware collection function, as well
as remote XML-RPC logging for SSL support.
Honeypots: The most current book on honeypots today, this excellent resource was published
by team members Thorsten Holz and Niels Provos.
One of the key challenges our organization has faced was that in reality we have been two different
organization, the core Honeynet Project and then associated members the Research Alliance. This structure
has caused problems, including issues of communication, coordination and transparency. At the
beginning of the year the membership and its leaders decided we needed a major restructuring, combining
both organizations into a single, legal entity. The goal is to create an organization simpler to
govern, improved communication, and more transparent operation. As a result, the Honeynet Research
Alliance has been officially merged into the Honeynet Project, as documented in our new bylaws (which
will be posted online soon).
The Honeynet Project will remain a non-profit 501c3 dedicated to
sharing findings with the community. In addition, it will become a chapter based organization,
with most of the the original Alliance organizations becoming the initial chapters. This combination
will create a more open, international organization that is easier to manage. In addition, we are
hoping this makes our research easier for the public to get involved, especially our development efforts.
We will be announcing more information soon on these changes.
7.1 Our biggest challenge is merging the Honeynet Project and Research Alliance into a single, legal entity.
The recent restructuring will meet those goals. We have recently approved the new bylaws. The
next step is the election of a new Board of Directors.
7.2 We want to work on better integration of all of our development efforts. Currently, many of
our development efforts are independently lead, with limited strategic interaction. We have kicked
off an internal project called the Strategic Research and Development Overview (SRDO) catalog all of our
development efforts, identify and document key leaders, and bring together better integration of all
of our development efforts.
None at this time.
9.0 Chapter Reports
Below you will find links to the status reports from each chapter of the Honeynet Project.
New Zealand Honeynet Project
Chicago Honeynet Project
UNAM Honeynet Project
Mexican Honeynet Project
Chinese Honeynet Project
Portuguese Honeynet Project
Alaskan Honeynet Project
Pakistan Honeynet Project
UNCC Honeynet Project
Brazilian Honeynet Project
Phillipine Honeynet Project
Singapore Honeynet Project
Spanish Honeynet Project
Costa Rican Honeynet Project
Norwegian Honeynet Project
UK Honeynet Project
West Point Honeynet Project
German Honeynet Project
GA Tech Honeynet Project
Japanese Honeynet Project